General

  • Target

    76c5758b7b3188776a3790f726629726a21f32f9875e88cf172085d9daf0bb95

  • Size

    324KB

  • Sample

    221020-sgywbsafar

  • MD5

    4b7d9218f38004dbf9e49e10001f5360

  • SHA1

    98ea408616736c9c8ac17f10ceaf6ab796666966

  • SHA256

    76c5758b7b3188776a3790f726629726a21f32f9875e88cf172085d9daf0bb95

  • SHA512

    02c471820a7e650fa711b93cd22af853e94c40a05f6ed433062a9d669cd2d49f23a15dd98a70a72dc90926fada5a351ba377e27ac77eda976cc97d89e3025c4c

  • SSDEEP

    6144:wxJsGW1oxDNT/xQphU+jrlgzfuzt91C9NDyWId98HhqbxtHGZwIoYg1:SJsGW14h/xQp6+tqOYy9zo0P

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Lammer

C2

spycronic157.no-ip.biz:2000

Mutex

Pluguin

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    Pluguin.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.

  • message_box_title

    LAMMER

  • password

    123

  • regkey_hkcu

    Win32

  • regkey_hklm

    Win32

Targets

    • Target

      76c5758b7b3188776a3790f726629726a21f32f9875e88cf172085d9daf0bb95

    • Size

      324KB

    • MD5

      4b7d9218f38004dbf9e49e10001f5360

    • SHA1

      98ea408616736c9c8ac17f10ceaf6ab796666966

    • SHA256

      76c5758b7b3188776a3790f726629726a21f32f9875e88cf172085d9daf0bb95

    • SHA512

      02c471820a7e650fa711b93cd22af853e94c40a05f6ed433062a9d669cd2d49f23a15dd98a70a72dc90926fada5a351ba377e27ac77eda976cc97d89e3025c4c

    • SSDEEP

      6144:wxJsGW1oxDNT/xQphU+jrlgzfuzt91C9NDyWId98HhqbxtHGZwIoYg1:SJsGW14h/xQp6+tqOYy9zo0P

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks